Sanitize to remove html
Closed this issue · 5 comments
Do you have any suggestions on how to remove html during sanitization?
Depends on your paranoia level. The strip_tags()
function lightweight in that it's built-in to PHP, though it may not catch all cases. On the other end of the spectrum, HTMLPurifier is apparently the gold standard, but it's a lot more code to support and interface with. In the middle is DOM, which is built-in but requires some work on your part.
Does that begin to help?
I took your advice and found a good function that regex strips tags, and then runs through strip tags. I have a problem though.
$f->sanitize('title')->to('callback', function ($subject, $field) {
if (function_exists('strip_html_tags')) {
$subject->$field = strip_html_tags($subject->$field);
}
return true;
});
Based on the example in the docs. Problem is it allows the string intact with tags through the sanitize function. I've verified that my strip_html_tags
function works.
How about write a test to show this is not working as expected?
Either you may want to go on : https://github.com/auraphp/Aura.Filter/blob/2.x/tests/SubjectFilterTest.php or in https://github.com/auraphp/Aura.Filter/blob/2.x/tests/Rule/Sanitize/AbstractSanitizeTest.php , https://github.com/auraphp/Aura.Filter/blob/2.x/tests/Rule/Sanitize/CallbackTest.php .
Thank you.
@designermonkey also I wonder whether it is really going inside the if (function_exists('strip_html_tags')) {
. Do you have namespace etc on that class? In that case probably it may not be. Try exit inside and see for a quick test.
Turns out it was me being a muppet. I return a request instance from my filter functionality, and had neglected to add the filtered input back to the immutable instance.
Sorry chaps. Thanks for your time though.